What is DNSSEC, and Why Does My Website Need It?

Over the past few years, online security has understandably risen in prominence. One thing that every website can do to promote better security is the adoption of Domain Name System Security Extensions (DNSSEC).

DNSSECs add a special digital signature to a domain’s DNS to affirm the authenticity of that source domain name. Why is this valuable? DNSSEC addresses a certain category of security risks and helps prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks.

Let’s go over how this actually works in practice.

Say you open up your browser and type in a domain name like CanSpace.ca in the address bar. To be able to open that website, a resolver first needs to take the domain name and translate it to a numerical address (IP address) that identifies your site. The DNS is like the Internet’s phone book.

Unfortunately, the DNS protocol is not always a secure as it could be. It’s actually possible for a hijacker to interrupt the process above, identify their own IP address with the domain the user has typed into their address bar, and ultimately send the user to a different web site (that may be styled deceptively to mimic the original) where valuable account and password information can be stolen.

It’s these kinds of activities that have made it necessary to increase security with the use of DNSSEC. DNSSEC makes this resolver first verify the domain’s digital signature and compares it to one that’s on file at the registry. If the signature doesn’t match, it could mean that someone is pretending to be your website, and the process is interrupted to protect the visitor.

Think of DNSSEC as the key that needs to go in the lock before the door between a domain name and the IP address of that same site can be opened.

By securing the directory lookup, DNSSEC takes care of one crucial part of Internet security. Once you’ve actually connected to the website in question, HTTPS can then protect the visitor from there on. These two systems are complementary.

Origin Authentication of Data: This feature further validates authority sources, making it harder for malicious third parties to implement man-in-the-middle attacks.

Data Integrity: In this process, records are cryptographically signed. If they were modified during the master/secondary zone, it will show up when resolving a record.

Authenticated Denial of Existence: If a query has no data, authoritative servers can provide a response, which proves that no data exists.

With all these benefits, you might be surprised to find out that DNSSEC is still not very widely used. By some estimates, fewer than 10% of all sites currently make use of this technology. Still, adoption is increasing every year and DNSSEC is becoming a powerful tool in the development of a safer and more trustworthy Internet.

How does DNSSEC actually help you? For one, it shows your customers that your business cares about their security. When it comes to security-minded individuals, you’re also making it less of a concern for them to be using your site and especially to be submitting transactions through it.

CanSpace Solutions is a 100% Canadian website hosting solution handling everything from small business websites to large sites with dedicated server solutions. If you’re a current or prospective customer, you’ll be happy to hear that DNSSEC is available free on all our domains!

The CanSpace Team

CanSpace is Canada's leading domain name registrar and hosting provider. Keep an eye on our blog for expert information around websites and running a business online.